Table of Contents
Installation NetYCE on RHEL 7
This installation guide installs NetYCE version 7.x on a Redhat 7 or Centos 7 physical or virtual x86_64 platform.
References to EL or RHEL refer to RedHat Enterprise Linux or CentOS Linux. All OS versions and packages are required to use the x86_64 architecture, that is x86 processors running 64-bit. The installation applies to both physical and virtual platform deployments.
Introduction
The choice of operating system (Redhat or CentOS), disk filesystem layout, installed packages, and security hardening are mostly defined by the customers common practice. NetYCE does have some requirements on disk-usage and directory-trees that may warrant filesystem allocations, and we do rely on a specific functional user, yce that requires some sudo permissions.
A basic set of packages should be installed which will later be amended by specific NetYCE software. The basic OS installation can easily be realized by the customer, but we recommend the NetYCE software installation and configuration to be a joint effort.
During the first install of the NetYCE software packages, the configuration preferences and details of the NetYCE system and its architecture will be defined and initialized. Subsequent software upgrades and patches can be installed by the application manager using the NetYCE front-end without requiring system privileges. Only on some major upgrades will those be required.
The NetYCE software installation consists of two self-installing packages, YCE and YCEperl, a sample database and a license file. The installation depends on MariaDB (mysql server), apache (http server), fping and some standard distribution packages (openssl, tftp, ftp, ssh, telnet, gtar, etc). Mysecureshell is a non standard distribution package we use for sftp jail functionality.
System specification
The hardware requirements of NetYCE are moderate by itself although much depends on the intended level of use and the application architecture selected.
In general we suggest to deploy two NetYCE servers in different data centers attached to Network Management (NMS) networks. These systems will provide both front-end (user and network facing) functions AND a database function. These functions can be configured to provide live failover and backup services by means of master-master replication. The front-end functions support 10-20 simultaneous users and can execute several thousand config changes per hour.
For such deployments a physical or virtual x86 server needs to have at least two CPU cores and 4 GB of memory, but 4 cores and 8 GB memory is recommended.
Disk space can be local or SAN based and should not exceed 50 GB. This disk space is allotted to a single filesystem or split across several, depending on system management preferences.
The NetYCE directory structure uses several trees for various functions. Assigning the mysql, shared and working/logs trees individual filesystems is recommended.
/ - 3 to 6 GB (OS root, bin, usr, lib, opt, etc) /opt/yce - 100 MB /opt/nms - 100 MB /opt/ycelib - 500 MB /var/opt/yce - 3 to 6 GB (logs and working data) /var/opt/shared - 6 to 12 GB (tftp, os-files) /var/opt/mysql - 4 to 8 GB (mysql data)
Verifications and preparations
SElinux
verify SELinux is not active:
$ cat /etc/selinux/config
⇒ preferred SELINUX=disabled
⇒ workable SELINUX=permissive
In case it's set to enforcing, edit /etc/selinux/config
change SELINUX=enforcing to SELINUX=disabled and reboot the VM otherwise it doesnt take effect.
Make sure to have a hostname set, and check the output of the commands below
Hostname
hostnamectl set-hostname rhel7.netyce.org
[root@localhost ~]# uname -i x86_64
verify ip settings:
$ hostname
⇒ hostname (pref not fqdn)
$ hostname --domain
⇒ domain name
$ hostname --ip-address
⇒ one (1) ip-address of the local interface
correct using 'setup'
correct in /etc/hosts
DNS
verify dns is configured:
- update /etc/resolv.conf is needed
- test using nslookup of a device (in case of installing on a minimal installation, you'll need to install bind-utils first using yum)
- check search path and domain
Openssl
verify openssl is installed:
$ openssl
⇒ must start, then type 'quit'
Rpm
verify rpm is functional:
- e.g. # rpm -v
Valid release
verify a valid RedHat (or Centos) release is present.
$ cat /etc/redhat-release
⇒ Supported RHEL7 release is 7.6
To update a release to the latest RHEL7,
connect the server to the internet and use the command (as root):
# yum update
When completed, reboot and verify using:
$ cat /etc/redhat-release
Note: During the install or updates, yum might (re-)enable 'firewalld'!
If your system's firewalld is not configured, the default setting will only allow SSH connections and block all others, including httpd, mysql, yce_xch, yce_sched, etc.
Firewalld
To disable 'firewalld':
systemctl stop firewalld systemctl disable firewalld
Timezone
Set timezone
/etc/sysconfig/clock – add UTC=yes for Hypervisors that do not set the hwclock to UTC time
ZONE="Europe/Amsterdam" UTC="yes"
/etc/sysconfig/ntpdate – set option to keep hw-clock in sync after ntpdate adjustment
SYNC_HWCLOCK=yes
Set locales
add the following lines to /etc/environment
LANG=en_US.utf-8 LC_ALL=en_US.utf-8
Filesystems
Some customer linux sytems have a filesystem setup where most applications subtrees
have their own volume. The sizes need to be adjusted to match the required size.
Use the command:
# lvextend -L <size> -r <fs-device>
On the filesystems below.
Check with the df -h command the actual device name
mountpoint size device /opt/nms /opt/yce /opt/ycelib 2G /dev/mapper/vg.appl-lv.optycelib /var/opt/yce 2G /dev/mapper/vg.appl-lv.varoptyce /var/opt/mysql 5G /dev/mapper/vg.appl-lv.varoptmysql /var/opt/shared 5G /dev/mapper/vg.appl-lv.varoptshared
Typical systems are setup with separate filesystems for:
/opt 10G /var/opt/mysql 5G /var/opt/shared 5G
Prerequisites for installation
Make sure to have the following available on your VM:
The yceperl binary, YCE binary, your yce_license and a NetYCE database if applicable.
NetYCE installation
Yum packages to install from default repository
Install the following packages from the default repository using yum, we will install other packages from non standard repo's in this guide:
- rhel7_packages.txt
SDL apr apr-util at atlas autofs autogen-libopts avahi-libs bc bind-libs bind-utils bison blas blktrace boost-date-time boost-program-options boost-system boost-thread bridge-utils byacc bzip2 centos-indexhtml cmake crda crypto-utils cryptsetup cscope ctags cyrus-sasl-plain desktop-file-utils diffstat dmraid dmraid-events doxygen dstat dwz dyninst ed efivar-libs elfutils emacs-filesystem epel-release flex fontconfig fontpackages-filesystem fribidi ftp galera gdbm-devel gettext-common-devel gettext-devel gnutls gpg-pubkey gpm-libs graphite2 gsm gssproxy harfbuzz hdparm hesiod hicolor-icon-theme httpd httpd-manual httpd-tools indent iotop ius-release jbigkit-libs kernel keyutils keyutils-libs-devel krb5-devel lapack ldns libarchive libbasicobjects libcollection libcom_err-devel libdwarf libevent libfprint libgfortran libini_config libjpeg-turbo libkadm5 libmodman libnfsidmap libnl libogg libpath_utils libpcap libproxy libquadmath libref_array libselinux-devel libsepol-devel libsndfile libtar libtheora libtirpc libusbx libverto-devel libverto-libevent libvorbis libwayland-server libxml2-python libzip lsof m4 mailcap mailx man-pages man-pages-overrides mdadm mlocate mod_nss mod_ssl mod_wsgi mokutil mpfr mtr neon net-snmp-libs net-snmp-utils nettle nfs-utils nfs4-acl-tools nscd nss-pam-ldapd ntp ntpdate ntsysv numactl numpy openldap-clients openssl-devel oprofile pakchois patch patchutils pciutils pcre-devel perf php php-cli php-common pixman psmisc pygobject2 pyparsing python-augeas python-backports python-backports-ssl_match_hostname python-chardet python-ipaddress python-kitchen python-nose python-setuptools python-six python2-futures quota quota-nls rcs redhat-rpm-config rpcbind rpm-sign rsync satyr sg3_utils-libs sgpio sos swig systemd-python tcp_wrappers tcsh telnet tftp theora-tools time tmpwatch traceroute trousers unbound-libs unzip usermode vim-common vim-enhanced vim-filesystem vsftpd wget xdg-utils xmlrpc-c xmlrpc-c-client xz-lzma-compat yum-utils zip zlib-devel
Fping
yum -y install https://centos7.iuscommunity.org/ius-release.rpm yum -y install fping
MySecureShell
echo "[mysecureshell] name=MySecureShell baseurl=http://mysecureshell.free.fr/repository/index.php/centos/6.4/ enabled=1 gpgcheck=0" > /etc/yum.repos.d/mysecureshell.repo
yum -y install mysecureshell
Install MariaDB
cat > /etc/yum.repos.d/MariaDB_10_3.repo << EOF # MariaDB 10.3 CentOS repository list - created 2019-06-20 15:41 UTC # http://downloads.mariadb.org/mariadb/repositories/ [mariadb] name = MariaDB baseurl = http://yum.mariadb.org/10.3/centos7-amd64 gpgkey=https://yum.mariadb.org/RPM-GPG-KEY-MariaDB gpgcheck=1 EOF
yum -y install MariaDB-server MariaDB-client
Install snmpd
cat > /etc/snmp/snmpd.conf << EOF # Map 'readsys' community to the 'ConfigUser' # Map 'readall' community to the 'AllUser' # sec.name source community com2sec ConfigUser default readsys com2sec AllUser default readall # Map 'ConfigUser' to 'ConfigGroup' for SNMP Version 2c # Map 'AllUser' to 'AllGroup' for SNMP Version 2c # sec.model sec.name group ConfigGroup v2c ConfigUser group AllGroup v2c AllUser # Define 'SystemView', which includes everything under .1.3.6.1.2.1.1 (or .1.3.6.1.2.1.25.1) # Define 'AllView', which includes everything under .1 # incl/excl subtree view SystemView included .1.3.6.1.2.1.1 view SystemView included .1.3.6.1.2.1.25.1.1 view AllView included .1 # Give 'ConfigGroup' read access to objects in the view 'SystemView' # Give 'AllGroup' read access to objects in the view 'AllView' # context model level prefix read write notify access ConfigGroup "" any noauth exact SystemView none none access AllGroup "" any noauth exact AllView none none EOF
To start snmpd: systemctl start snmpd. ('stop' to turn off)
To enable snmpd at boot: systemctl enable snmpd. ('disable' to disable).
Yce user creation and bash and vim profile settings
# create the group with gid 8000
groupadd -g 8000 nms
# create a user with group nms with a home directory and no group yce
useradd -g nms -m -u 8000 -s /bin/bash yce
# set the password for user yce
passwd yce
# .bash_profile for yce user:
# .bash_profile
#
# NetYCE, 2018
#
"export LC_ALL=C"
if [ -r "/opt/yce/system/go" ]; then
export RDEV="devel6"
source "/opt/yce/system/go"
else
echo "Skipping 'go'"
fi
export PATH="$PATH:/sbin:/usr/sbin:/usr/local/sbin:/bin:/usr/bin:/usr/local/bin:/opt/yce/bin:/opt/yce/system:."
export LD_LIBRARY_PATH="/lib:/usr/lib:/usr/local/lib"
export LC_CTYPE="en_US.UTF-8"
export LC_ALL=C
export EDITOR=vi
if [ "${TERM}x" = "x" ]; then
export TERM=ansi
stty erase ^?
fi
if [ "$TERM" = "ansi" ]; then
stty erase ^H
fi
set -o emacs
umask 0002
export PS1='\e[32m\u@\h\e[0m \w\n\$ '
if [ -f /etc/DIR_COLORS ]; then
# eval `dircolors -b /etc/DIR_COLORS | sed 's/di=01;93/di=01;34/'`
alias ls='ls -N --color=tty -T 0 '
fi
# Get the aliases and functions
if [ -f ~/.bashrc ]; then
. ~/.bashrc
fi
alias perl='/opt/ycelib/perl/bin/perl'
alias perldoc='/opt/ycelib/perl/bin/perldoc'
alias srch='/opt/yce/system/tools/srch.pl'
alias l='ls -lF'
alias ll='ls -laF'
alias lc='ls -CaF'
alias lr='ls -latrF'
alias o='less'
alias grep='grep --color=auto'
alias gerp='grep'
alias cp='cp -i'
# .bashrc for yce
cat >> /home/yce/.bashrc << EOF
# User specific aliases and functions
if [ -f ~/.bash_aliases ]; then
. ~/.bash_aliases
fi
EOF
# .vimrc for yce
cat > /home/yce/.vimrc << EOF set ts=4 set sw=4 set ai set noerrorbells set formatoptions-=r EOF
.bash_profile and .vimrc for root user:
# .bash_profile
#
# NetYCE, 2018
#
if [ -r "/opt/yce/system/go" ]; then
export RDEV="devel6"
source "/opt/yce/system/go"
else
echo "Skipping 'go'"
fi
export PATH="$PATH:/sbin:/usr/sbin:/usr/local/sbin:/bin:/usr/bin:/usr/local/bin:/opt/yce/bin:/opt/yce/system:."
export LD_LIBRARY_PATH="/lib:/usr/lib:/usr/local/lib"
export LC_CTYPE="en_US.UTF-8"
export LC_ALL=C
export EDITOR=vi
if [ "${TERM}x" = "x" ]; then
export TERM=ansi
stty erase ^?
fi
if [ "$TERM" = "ansi" ]; then
stty erase ^H
fi
set -o emacs
umask 0002
export PS1='\e[32m\u@\h\e[0m \w\n\$ '
if [ -f /etc/DIR_COLORS ]; then
# eval `dircolors -b /etc/DIR_COLORS | sed 's/di=01;93/di=01;34/'`
alias ls='ls -N --color=tty -T 0 '
fi
# Get the aliases and functions
if [ -f ~/.bashrc ]; then
. ~/.bashrc
fi
alias perl='/opt/ycelib/perl/bin/perl'
alias perldoc='/opt/ycelib/perl/bin/perldoc'
alias srch='/opt/yce/system/tools/srch.pl'
alias l='ls -lF'
alias ll='ls -laF'
alias lc='ls -CaF'
alias lr='ls -latrF'
alias o='less'
alias grep='grep --color=auto'
alias gerp='grep'
alias cp='cp -i'
echo " "
if [ -x "/opt/yce/system/net_setup.pl" ]; then
/opt/yce/system/net_setup.pl
else
echo "ERROR: cannot start net_setup.pl"
fi
echo " "
echo " You can setup the networking by logging in "
echo " as 'root' or using"
echo " /opt/yce/system/net_setup.pl"
echo " "
echo " YCE setup can be restarted as 'yce' user using"
echo " /opt/yce/system/yce_setup.pl"
echo " "
# .bashrc
cat >> ~/.bashrc << EOF
# User specific aliases and functions
if [ -f ~/.bash_aliases ]; then
. ~/.bash_aliases
fi
EOF
# .vimrc for root
cat > ~/.vimrc << EOF set ts=4 set sw=4 set ai set noerrorbells set formatoptions-=r EOF
Sudo setup
A couple of 'services' will be installed for NetYCE:
- yce_psmon
- httpd
- mysql
- vsftpd
Of these, yce_psmon and httpd require 'root' permissions to start.
Since all application maintenance will (or should) be executed using the functional user 'yce', sudo should be setup to permit this.
The default setup expects /sbin/service to be available for the 'yce' user. Execution should not require a password.
Add the following using visudo, remove any mention of sudoers.d (if present) at the end of the file:
# Yce Cmnd_Alias YCE = /opt/yce/system/init/yce_tftpd # Installation and management of software Cmnd_Alias SOFTWARE = /bin/rpm, /usr/bin/up2date, /usr/bin/yum, /usr/bin/updatedb, /bin/ping # Processes Cmnd_Alias PROCESSES = /bin/nice, /bin/kill, /usr/bin/kill, /usr/bin/killall, /usr/bin/pkill # Networking Cmnd_Alias NETWORKING = /sbin/route, /sbin/ifconfig, /bin/ping, /sbin/dhclient, /usr/bin/net, /usr/bin/rfcomm, /usr/bin/wvdial, /sbin/iwconfig, /sbin/mii-tool, /usr/sbin/ip, /usr/sbin/dhclient, /usr/sbin/iptables, /usr/sbin/ifstat, /sbin/iwconfig, /usr/sbin/ethtool # Storage Cmnd_Alias STORAGE = /sbin/fdisk, /sbin/sfdisk, /sbin/parted, /sbin/partprobe, /bin/mount, /bin/umount ## Delegating permissions Cmnd_Alias DELEGATING = /bin/chown, /bin/chmod, /bin/chgrp Cmnd_Alias SHELLS = /bin/sh,/bin/bash Cmnd_Alias SU = /bin/su Cmnd_Alias LOGIN = /bin/login Cmnd_Alias REBOOT = /usr/bin/reboot Cmnd_Alias SHUTDOWN = /usr/bin/poweroff, /usr/bin/halt, /sbin/shutdown Defaults !requiretty #==== YCE user group 'nms' # Below are a few examples. # For production the MINIMUM profile might be a good start. # For testing, the MAINTENANCE is regularly used. # MINIMUM # No password required for YCE applications, ALL other applications are allowed with a password. %nms ALL = PASSWD:ALL, NOPASSWD:YCE # MAINTENANCE # No password required for YCE applications and services and processes. NO other applications are allowed to run at all! # %nms ALL=NOPASSWD:YCE, SERVICES, PROCESSES # Same, but all applications are allowed if you know the password. # %nms ALL=NOPASSWD:YCE, SERVICES, PROCESSES, PASSWD:ALL # DEVELOPMENT # %nms ALL=NOPASSWD:SOFTWARE, YCE, SERVICES, PROCESSES, PASSWD:ALL # %nms ALL=NOPASSWD:DELEGATING, NETWORKING, SOFTWARE, YCE, SERVICES, PROCESSES, PASSWD:ALL # %nms ALL=NOPASSWD:ALL
bash_aliases for root
put the following in /root/.bash_aliases:
export PAGER="less" export EDITOR="vim" alias l='ls -CF' alias ll='ls -lhF' alias llt='ls -latrF' alias lr='ls -latrF' alias la='ls -ahF' alias lla='ls -lahF' alias lc='ls -CaF' alias p='ping' alias pst='ps axjf' alias t='telnet' alias n='nslookup' alias o='less' if [ -x /usr/bin/vim ]; then alias vi='vim' fi alias grep='grep --color=auto' alias gerp='grep' alias ip='ip --color' alias ip4='ip -4 --color --brief addr | grep -v UNKNOWN' alias ip6='ip -6 --color --brief addr | grep -v UNKNOWN' # other alias add='/opt/yce/system/patches/vendor_support.pl add' alias perl='/opt/ycelib/perl/bin/perl' alias perldoc='/opt/ycelib/perl/bin/perldoc' alias srch='/opt/yce/system/tools/srch.pl'
Httpd
# enable the httpd service at startup
sudo systemctl enable httpd
# this creates the following symlink:
Created symlink from /etc/systemd/system/multi-user.target.wants/httpd.service to /usr/lib/systemd/system/httpd.service
# mv ssl, nss, manual out of the way
sudo mv /etc/httpd/conf.d/ssl.conf /etc/httpd/conf.d/ssl.conf.unwanted sudo mv /etc/httpd/conf.d/nss.conf /etc/httpd/conf.d/nss.conf.unwanted sudo mv /etc/httpd/conf.d/manual.conf /etc/httpd/conf.d/manual.conf.unwanted
# This should actually be done in yce_setup.pl, it is dependent on the choice for SSL/https.
sudo mv /etc/httpd/conf.modules.d/00-ssl.conf /etc/httpd/conf.modules.d/00-ssl.conf.unwanted
# put a '#' in front of every line in welcome.conf. If the file is deleted, it will be put back after an upgrade of apache
sudo sed -i -e 's/^/# /' /etc/httpd/conf.d/welcome.conf
# suexec wasn't active on centos6, so disabled it as well on centos7. Eric, is this required?
sudo sed -i -e 's@^LoadModule suexec_module modules/mod_suexec.so@# LoadModule suexec_module modules/mod_suexec.so@' /etc/httpd/conf.modules.d/00-base.conf
Setup the perl env.
# copy the perl bin to the new system
sudo mkdir /opt/ycelib sudo chown yce:nms /opt/ycelib sh yceperl_7.0.2.bin # as yce user, no sudo!
Cron
it seems like there is no entry for the yce user needed in /etc/cron.allow for the user to be able to create crontab entries
Yce directories
as yce user
sudo mkdir /var/opt/yce cd /var/opt/yce sudo mkdir backup configs download jobs logs output sudo chown -R yce:nms /var/opt/yce/
Ycicle user
# use the UID and GID from this user for the following cmd (if you followed this installation guide both values will be 8000)
cat /etc/passwd | grep yce useradd -M -d /var/opt/shared -s /bin/bash -o -u 8000 -g 8000 ycicle passwd ycicle
prevent expiry
/usr/bin/passwd -n 0 -x 99999 -i -1 ycicle
make sure the shell of ycicle user is set to /bin/MySecureShell
Vsftpd
replace the contents of /etc/vsftpd/vsftpd.conf with the following:
# NetYCE 2019
anonymous_enable=NO
local_enable=YES
write_enable=YES
local_umask=002
dirmessage_enable=YES
xferlog_enable=YES
connect_from_port_20=YES
xferlog_file=/var/opt/yce/logs/ftpxfer.log
vsftpd_log_file=/var/opt/yce/logs/ftplog.log
xferlog_std_format=YES
chroot_list_enable=YES
listen=NO
listen_ipv6=YES
pam_service_name=vsftpd
userlist_enable=YES
tcp_wrappers=YES
local_root=/var/opt/shared
secure_chroot_dir=/var/opt/shared
chown_username=yce.nms
guest_enable=NO
force_dot_files=NO
hide_file={.yce_prop}
delete_failed_uploads=YES
log_ftp_protocol=NO
and the following in /etc/vsftpd/chroot_list:
ycicle
put the following in /etc/ssh/sshd_config:
# $OpenBSD: sshd_config,v 1.80 2008/07/02 02:24:18 djm Exp $
# This is the sshd server system-wide configuration file. See
# sshd_config(5) for more information.
# This sshd was compiled with PATH=/usr/local/bin:/bin:/usr/bin
# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented. Uncommented options change a
# default value.
#Port 22
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::
# Disable legacy (protocol version 1) support in the server for new
# installations. In future the default will change to require explicit
# activation of protocol 1
Protocol 2
# HostKey for protocol version 1
#HostKey /etc/ssh/ssh_host_key
# HostKeys for protocol version 2
#HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_dsa_key
# Lifetime and size of ephemeral version 1 server key
#KeyRegenerationInterval 1h
#ServerKeyBits 1024
# Logging
# obsoletes QuietMode and FascistLogging
#SyslogFacility AUTH
SyslogFacility AUTHPRIV
#LogLevel INFO
# Authentication:
#LoginGraceTime 2m
#PermitRootLogin yes
#StrictModes yes
#MaxAuthTries 6
#MaxSessions 10
#RSAAuthentication yes
#PubkeyAuthentication yes
#AuthorizedKeysFile .ssh/authorized_keys
#AuthorizedKeysCommand none
#AuthorizedKeysCommandRunAs nobody
# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
#RhostsRSAAuthentication no
# similar for protocol version 2
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# RhostsRSAAuthentication and HostbasedAuthentication
#IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes
# To disable tunneled clear text passwords, change to no here!
#PasswordAuthentication yes
#PermitEmptyPasswords no
PasswordAuthentication yes
# Change to no to disable s/key passwords
#ChallengeResponseAuthentication yes
ChallengeResponseAuthentication no
# Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no
#KerberosUseKuserok yes
# GSSAPI options
#GSSAPIAuthentication no
GSSAPIAuthentication yes
#GSSAPICleanupCredentials yes
GSSAPICleanupCredentials yes
#GSSAPIStrictAcceptorCheck yes
#GSSAPIKeyExchange no
# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication. Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
#UsePAM no
UsePAM yes
# Accept locale-related environment variables
AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE
AcceptEnv XMODIFIERS
#AllowAgentForwarding yes
#AllowTcpForwarding yes
#GatewayPorts no
#X11Forwarding no
X11Forwarding yes
#X11DisplayOffset 10
#X11UseLocalhost yes
#PrintMotd yes
#PrintLastLog yes
#TCPKeepAlive yes
#UseLogin no
#UsePrivilegeSeparation yes
#PermitUserEnvironment no
#Compression delayed
#ClientAliveInterval 0
#ClientAliveCountMax 3
#ShowPatchLevel no
#UseDNS yes
#PidFile /var/run/sshd.pid
#MaxStartups 10:30:100
#PermitTunnel no
#ChrootDirectory none
# no default banner path
#Banner none
UseDNS no
# override default of no subsystems
Subsystem sftp /usr/libexec/openssh/sftp-server
# Subsystem sftp internal-sftp
Match User ycicle
# ChrootDirectory /var/opt/shared
# ForceCommand internal-sftp
# ForceCommand /opt/yce/bin/cpsh.pl
AllowTCPForwarding no
X11Forwarding no
# Example of overriding settings on a per-user basis
#Match User anoncvs
# X11Forwarding no
# AllowTcpForwarding no
# ForceCommand cvs server
Create the following in /etc/ssh/sftp_config
The limited download speeds (100mbps global and 10mbps per session) are intended as guidelines to prevent multiple
OS-file transfers to consume too much bandwidth. These values can be adjusted to suit server and network capabilities.
## MySecureShell Configuration File ##
# NetYCE 2019
# Default rules for everybody
<Default>
GlobalDownload 100m #total speed download for all clients
# o -> bytes k -> kilo bytes m -> mega bytes
GlobalUpload 0 #total speed upload for all clients (0 for unlimited)
Download 10m #limit speed download for each connection
Upload 0 #unlimited speed upload for each connection
StayAtHome true #limit client to his home
VirtualChroot true #fake a chroot to the home account
LimitConnection 50 #max connection for the server sftp
LimitConnectionByUser 50 #max connection for the account
LimitConnectionByIP 50 #max connection by ip for the account
Home /var/opt/shared/
Shell /opt/yce/bin/cpsh.pl
IdleTimeOut 30m # disconnect idle client after 30 min
ResolveIP false #resolve ip to dns
IgnoreHidden true #treat all hidden files as if they don't exist
DirFakeUser true #Hide real file/directory owner (just change displayed permissions)
DirFakeGroup true #Hide real file/directory group (just change displayed permissions)
DirFakeMode 0400 #Hide real file/directory rights (just change displayed permissions)
#Add execution right for directory if read right is set
HideNoAccess true #Hide file/directory which user has no access
# MaxOpenFilesForUser 20 #limit user to open x files on same time
# MaxWriteFilesForUser 10 #limit user to x upload on same time
# MaxReadFilesForUser 10 #limit user to x download on same time
DefaultRights 0640 0750 #Set default rights for new file and new directory
# MinimumRights 0400 0700 #Set minimum rights for files and dirs
ShowLinksAsLinks false #show links as their destinations
ConnectionMaxLife 2h #limits connection lifetime to 2 hours
# Charset "ISO-8859-15" #set charset of computer
</Default>
<User ycicle>
Shell /opt/yce/bin/cpsh.pl
Home /var/opt/shared/
VirtualChroot true
ResolveIP false
IgnoreHidden true
ShowLinksAsLinks false
</User>
#Include /etc/my_sftp_config_file #include this valid configuration file
Create network config files
before we start this, run the yce binary and just enter through everything so that all directories will get created and files will be put in place, as root (filename may differ ofcourse):
sh yce_7.1.1_20190522.bin
At the moment net_setup.pl only supports centos6, therefore we need to create the network config files manually: revise the information below to suit your situation.
IP=192.168.56.101 HOSTNAME=rhel7 DOMAIN=netyce.org IFNY=enp0s8 IFNAT=enp0s3 HWADDRNY=08:00:27:DF:B5:07 DNS1=8.8.8.8 DNS2=8.8.4.4
cat > /opt/yce/etc/net_setup.xml << EOF
<setup>
<local name="accounts" root_password="initialized at 2015-04-01 09:00:30" yce_password="initialized at 2015-04-01 09:00:37" />
<local name="host" application_if="$IFNY" domainname="${DOMAIN}" fqdn="${HOSTNAME}.${DOMAIN}" hostname="${HOSTNAME}" networking="yes" ntpaddress="149.210.205.44" />
<local name="net">
<$IFNAT bootproto="dhcp" device="$IFNAT" dhcphostname="${HOSTNAME}.${DOMAIN}" gatewaydev="$IFNAT" ipv4address="10.0.3.15" ipv4gateway="10.0.3.2" ipv4netmask="255.255.255.0" ipv4network="10.0.3.0" ipv4prefix="24" macaddress="08:00:27:e4:c0:79" name="$IFNAT" nmcontrolled="yes" onboot="yes" peerdns="yes" primarydns="$DNS1" secondarydns="$DNS2" type="Ethernet" />
<$IFNY bootproto="static" device="$IFNY" dhcphostname="" gatewaydev="$IFNAT" ipv4address="$IP" ipv4gateway="automatic" ipv4netmask="255.255.255.0" ipv4network="192.168.56.0" ipv4prefix="24" macaddress="$HWADDRNY" name="$IFNY" nmcontrolled="yes" onboot="yes" peerdns="yes" primarydns="$DNS1" secondarydns="$DNS2" type="Ethernet" />
</local>
</setup>
EOF
# YCE setup
cat > /opt/yce/etc/yce_setup.xml << EOF
<setup>
<override>
<configs crontab="update" httpd="update" mojo="update" network="keep" />
<daemons yce_ibd="disable" yce_nccmd="enable" />
</override>
<yce name="$HOSTNAME">
<database database_id="1" type="mysql" />
<host domainname="$DOMAIN" fqdn="${HOSTNAME}.${DOMAIN}" hostname="$HOSTNAME" />
<httpd mode="root" proto="http" type="apache" urlbase="name" />
<login domainname="$DOMAIN" expire="10" />
<mojo port="8080" server="mojo" />
<morbo port="3000" />
<net ipv4="$IP" />
<roles database="yes" frontend="yes" />
<wiki domain="netyce.com" ip="" local="no" name="wiki" proto="http" />
<yce_db primary_db="$HOSTNAME" secondary_db="" />
</yce>
</setup>
EOF
make sure the ownership of yce_setup.xml and net_setup.xml is yce:nms
tool_setup.xml
cat > /opt/yce/etc/tool_setup.xml << EOF
<!--
=== Scheduler and job tool configuration file ===
See the NetYCE wiki article for a detailed description:
http://wiki.netyce.com/doku.php/operate:jobs:job_configuration
Currently supported job_type names:
command_job
basic_cmd_job
startup_cfg
reload_node
connect_dce
RXvlan_job
port_config - does not use scheduler: no approvals apply
os_upgrades
Job types not listed above currently will use the <default> job definitions. Support
will be incorporated in ongoing releases.
Job-types not configured explicitly below will also use the <default> job definitions.
All variables not configured explicitly in their <job_type> definitions will
be lifted from the <default> definition.
-->
<tool_setup>
<queues>
<queue name="evpn" done_age="180" cancel_age="1800" job_int="20" max_run="50" max_wait="3600" />
<queue name="ios" done_age="180" cancel_age="1800" job_int="5" max_run="20" max_wait="3600" />
<queue name="yce" done_age="180" cancel_age="1800" job_int="2" max_run="50" max_wait="3600" />
</queues>
<defaults job_type="default" queue="yce">
<auditors levels="3456" />
<notify pending="yes" cancel="yes" suspend="yes" />
<approvals name="1" levels="" threshold="0" limit="0" />
<approvals name="2" levels="" threshold="0" limit="0" />
<approvals name="3" levels="" threshold="0" limit="0" />
<approvals name="4" levels="" threshold="0" limit="0" />
<approvals name="5" levels="" threshold="0" limit="0" />
<approvals name="6" levels="" threshold="0" limit="0" />
<change_id option="1" hint="C000xxxxxx">
<validation>^C000(\d){6}$</validation>
<validation>^O000(\d){6}$</validation>
<validation>^O000(\d){6}\-(\d){3}$</validation>
</change_id>
</defaults>
<command_job job_type="command_job" queue="yce">
<auditors levels="3456" />
<notify pending="yes" cancel="yes" suspend="yes" />
<approvals name="2" levels="" threshold="0" limit="0" />
<approvals name="3" levels="" threshold="0" limit="0" />
<approvals name="4" levels="" threshold="0" limit="0" />
<approvals name="5" levels="" threshold="0" limit="0" />
<approvals name="6" levels="" threshold="0" limit="0" />
<change_id option="1" hint="C000xxxxxx">
<validation>^C000(\d){6}$</validation>
<validation>^O000(\d){6}$</validation>
<validation>^O000(\d){6}\-(\d){3}$</validation>
<validation>^T000(\d){6}$</validation>
</change_id>
</command_job>
<startup_config job_type="startup_config">
<change_id hint="T000xxxxxx">
<validation>^T000(\d){6}$</validation>
</change_id>
</startup_config>
<RXvlan_job job_type="RXvlan_job" queue="evpn">
</RXvlan_job>
<os_upgrades job_type="os_upgrades" queue="ios">
</os_upgrades>
</tool_setup>
EOF
/var/opt/shared/ directory
make sure /var/opt/shared is owned by root:root and has 755 rights
/var/opt/shared/public has to be owned by yce:nms and also have 755 rights
Systemctl config files
run the binary again, this time we should be able to generate config files:
sh yce_7.1.1_20190522.bin
# httpd
cp /opt/yce/etc/rhel7_httpd.conf /etc/httpd/conf.d/yce.conf mkdir /etc/systemd/system/httpd.service.d cp /usr/lib/systemd/system/httpd.service /etc/systemd/system cp /opt/yce/system/init/httpd.service.d-yce.conf /etc/systemd/system/httpd.service.d/yce.conf systemctl daemon-reload systemctl restart httpd
# MariaDB
cp /opt/yce/etc/rhel7_mysql.conf /etc/my.cnf cp /usr/lib/systemd/system/mariadb.service /etc/systemd/system/ mkdir /etc/systemd/system/mariadb.service.d cp /opt/yce/system/init/mariadb.service.d-yce.conf /etc/systemd/system/mariadb.service.d/yce.conf systemctl daemon-reload
Systemctl psmon
root@rhel7 /etc/systemd/system # cp /opt/yce/system/init/yce_psmon.service . systemctl daemon-reload systemctl stop yce_psmon
Install the binary
sh yce_7.1.1_20190522.bin
Backup and Extraction will use /usr/bin/openssl and /usr/bin/gtar
Will extract to '/var/tmp/yce_install/YCE_7.1.1_20190522'
Skipping rollback archive: file exists 'YCEsrc_rhel7_20190806.des3'
Starting YCE installation verifications
Located YCE perl. Good
Installing YCE with 'root' privileges
Verifications complete
Found installation YCE manifest file '/var/tmp/yce_install/YCE_7.1.1_20190522/YCE_7.1.1_20190522.xml'. Good
Reading manifest '/var/tmp/yce_install/YCE_7.1.1_20190522/YCE_7.1.1_20190522.xml'
Parsing manifest parameters
Looking for existing YCE configuration
Loading existing YCE configuration
Will perform installation update in '/opt/yce'
Continue to do an UPDATE install? [Y] Y
Located YCE license file '/opt/yce/etc/yce_license'
Location of 'yce_license'? [/opt/yce/etc/yce_license]
Will use YCE license file '/opt/yce/etc/yce_license'. Good
License registered to 'netYCE'
OK: License will not expire until '20191231'
/var/tmp/yce_install/YCE_7.1.1_20190522/YCE_7.1.1_20190522.xml version = 7.1.1
License version '7' matches distribution version '7.1.1'. Good
You have licences for:
IOS
Rabo_spc
NCCM
Ziggo_sp
Infoblox
Netcool
YCE
Vancis_s
Found YCE distribution archive '/var/tmp/yce_install/YCE_7.1.1_20190522/YCEsrc_7.1.1_20190522.des3'. Good
Scanning build information of previous installed manifests
WARNING: Missing manifest file of previous installation
Must perform an initial install using interactive shell
Cannot continue using automatic updates - must perform first install
Error found. Continue? y
Starting package installations
yce_core (1)
nccm (2)
c3_connect (3)
rabo_dns_uitwijk (4)
dce_connect (5)
netcool_reporter (6)
ziggo_ipvpn (7)
rabo_wlc_poller (8)
netcool_services (9)
rabo_cmdb (10)
infoblox_dhcp (11)
rabo_systems (12)
os_upgrades (13)
rn3_evpn_failover (14)
netcool_mes (15)
infoblox_dns (16)
rabo_acs_update (17)
rabo_webcheck (18)
rn3_central (19)
rn3_sla (20)
Removing unlicensed package 'compliancy', requiring license 'Compliancy'
File installation complete
Do you want to create config files at this time? [Y]
Starting configuration creation
-- ----------------------------------------
-- Starting 'yce_setup' interactive
-- operating system: CentOS (7.6.1810)
-- read network setup: '/opt/yce/etc/net_setup.xml'
-- read yce setup: '/opt/yce/etc/yce_setup.xml'
WARNING: No NetYCE database can be reached
YCE servers currently in setup:
# Hostname IP-address FQDN
* 0) rhel7 192.168.56.103 rhel7.netyce.org
Select the server# to Remove, or 'A' to add, 'C' to continue: [C]
YCE server roles:
# Hostname Front-end SSL HTTPD URL Mojo Database Id
* 0) rhel7 yes http root name 8080 yes 1
Select the server# to change, 'C' to continue: [0] C
YCE server database mapping:
# Hostname Db-Id Primary Secondary
* 0) rhel7 1 rhel7
Select the server# to change, 'C' to continue: [0] C
Login setup:
Domain name for login (single-sign-on cookie)? [netyce.org]
Hours until Login session expiry (single-sign-on cookie)? [10]
Login setup:
Single-sign-on domain Expire (hrs)
netyce.org 10
Wiki setup:
'rhel7' will use the NetYCE public Wiki server? [Y]
-- New setup
#
# YCE Server overview:
# Name Domain IP-address Database Front-end Primary-db Secondary-db
# ---- ------ ---------- -------- --------- ---------- ------------
# rhel7 netyce.org 192.168.56.103 id=1 yes rhel7
#
-- Saved setup in '/opt/yce/etc/yce_setup.xml'
Create the YCE, httpd, and mysql configuration files for the this system
* 0) 'rhel7'
Create configuration for local server (y/n) ? [Y]
-- Create configs for server 'rhel7'
-- Yce: /opt/yce/etc/rhel7_yce.conf
WARNING vsftpd_conf: 'vsftpd_conf': psmon not running
WARNING sftp_conf: 'sftp_conf': psmon not running
WARNING vsftpd_chroot: 'vsftpd_chroot': psmon not running
WARNING sshd_conf: 'sshd_conf': psmon not running
cannot support 'sftp'
cannot support 'scp'
cannot support 'ftp'
can support 'tftp'
-- Mojo: /opt/yce/htdocs/angular/app/host.js
-- mojo url set to 'http://rhel7.netyce.org:8080/'
-- wiki url set to 'http://wiki.netyce.com/'
-- cacheswap 'rhel7' now at '201908060618'
-- Yce_psmon: /opt/yce/etc/rhel7_psmon.conf
ERROR: No sudo permissions available
ERROR: No sudo permissions available
ERROR: No sudo permissions available
ERROR: No sudo permissions available
-- Crontab: /opt/yce/etc/rhel7_crontab.conf
-- Httpd: /opt/yce/etc/rhel7_httpd.conf
-- Mysql: /opt/yce/etc/rhel7_mysql.conf
-- mysql version is '10.3.17'
-- mysql key_buffer set to '202M'
-- mysql tmpdir set to '/var/tmp'
-- Updating 'rhel7' menu-tree (C)
-- Creating menus for the role(s): "frontend","database"
-- Renewed the menu tree using the default
-- Updating 'rhel7' encryption keys
-- Updating scenario syntax highlighting file
-- Renewing NMS table permissions
-- Updating 'rhel7' my.cnf
WARNING: psmon copy failed (not running)
-- Daemons to restart: yce_psmon mysqld yce_tftpd yce_skulker yce_sched yce_nccmd yce_ibd morbo mojo
-- Relaunching NetYCE daemons...
-- yce_psmon:
start: yce_psmon start
wait start 'yce_psmon':
-- mysqld:
start: mysql start
wait start 'mysqld':
-- yce_tftpd: 3165
stop: /bin/sudo /opt/yce/system/init/yce_tftpd stop
wait stop 'yce_tftpd':
start: /bin/sudo /opt/yce/system/init/yce_tftpd start
wait start 'yce_tftpd': 3668
-- yce_skulker: 3185
stop: /opt/yce/system/init/yce_skulker stop
wait stop 'yce_skulker': 3185
wait stop 'yce_skulker':
start: /opt/yce/system/init/yce_skulker start
wait start 'yce_skulker': 3691
-- yce_sched: 3207
stop: /opt/yce/system/init/yce_sched stop
wait stop 'yce_sched':
start: /opt/yce/system/init/yce_sched start
wait start 'yce_sched': 3713
-- yce_nccmd:
start: /opt/yce/system/init/yce_nccmd start
wait start 'yce_nccmd': 3725
-- yce_ibd:
# disabled
-- morbo:
# disabled
-- mojo: 3305 3306 3307 3308 3309 3310 3311
stop: /opt/yce/system/init/yce_mojo stop
wait stop 'mojo':
start: /opt/yce/system/init/yce_mojo start
wait start 'mojo': 3798 3799 3800 3801 3802 3803 3804
-- done
Relaunching XCH API...
Stopping daemon 'yce_xch': 3347
Starting daemon 'yce_xch'
-- Completed
SKIPPING PATCH INSTALL
The patches MUST be installed when the YCE database is operational
Patches must be installed using:
'/opt/yce/system/patches/patch_install.pl'
Installation completed
Exiting installation. Cleanup
Cleanup YCEsrc_7.1.1_20190522
Completed - 1 Errors detected
Database import
put database in place, I assume you made a .tgz of the /var/opt/mysql dir of a running NetYCE you want to migrate.
systemctl disable mariadb sytemctl stop mariadb
check if there is a .conf file is present in the following dir /etc/systemd/system/mariadb.service.d/ ifso delete it:
rm migrated-from-my.cnf-settings.conf
Make sure /var/opt/mysql/ is empty before copying your database into it, in my case I extracted a database in /home/yce/var/opt/mysql/:
rm -rf /var/opt/mysql/* cp -a /home/yce/var/opt/mysql/* /var/opt/mysql/ sudo systemctl enable mariadb sudo systemctl start mariadb
If you see a message like “Warning: mariadb.service changed on disk. Run 'systemctl daemon-reload' to reload units.” check with
ps -axuf | grep mysql
if it's really running or not, because as I am writing this this seems to be a false message and the daemon is actually running.
after database is running, as yce user:
go patches ./patch_install.pl
you might encounter the following:
[18112302] ERROR: Failed to create Ipv6_map_view Ipv6_map_view: "sql exec err: Column count of mysql.proc is wrong. Expected 21, found 20. Created with MariaDB 100215, now running 100316. Please use mysql_upgrade to fix this error"
[18112302] Adding Mgmt_addr column to Ipv6_map table failed
ERROR: Patch '18112302' failed
[19022703] ERROR: Failed to create Ipv6_map_view Ipv6_map_view: "sql exec err: Column count of mysql.proc is wrong. Expected 21, found 20. Created with MariaDB 100215, now running 100316. Please use mysql_upgrade to fix this error"
[19022703] renewing Ipv6_map_view view failed
ERROR: Patch '19022703' failed
[19022707] ERROR: Cannot create view 'Ipv6_subnet_view': "sql exec err: Column count of mysql.proc is wrong. Expected 21, found 20. Created with MariaDB 100215, now running 100316. Please use mysql_upgrade to fix this error"
[19022707] Updating Ipv6 subnet view failed
ERROR: Patch '19022707' failed
fix this by doing the following:
$ mysql_upgrade -u netYCE -p Enter password: Phase 1/7: Checking and upgrading mysql database Processing databases (I will skip all output that says OK, because there's a lot of that) Phase 2/7: Installing used storage engines... Skipped Phase 3/7: Fixing views YCE.Ipv6_prefix_view Error : Column count of mysql.proc is wrong. Expected 21, found 20. Created with MariaDB 100215, now running 100316. Please use mysql_upgrade to fix this error error : Corrupt
run
yce_setup.pl -r
to regenerate the configuration
somehow vsftpd doesnt get started at this moment, so for the time being:
sudo systemctl enable vsftpd sudo systemctl start vsftpd
